 | 1 | initial version |
The most probable cause would be that those packets have multiple IP layers (like an ICMP destination unreachable packet had part of the original packet as ICMP payload). Can you try tshark -nr file.pcap -T fields -e ip.proto -e ip.src -e ip.dst -e ip.len to get a little more info on those packets?
